- Fix label for /var/run/udev to udev_var_run_t

- Mock needs to be able to read network state
2011-04-04 17:35:35 +00:00 · 2011-04-04 17:35:35 +00:00 · fb7e97f251
parent 462b89a9a5
commit fb7e97f251
2 changed files with 219 additions and 108 deletions
--- a/policy-F16.patch
+++ b/policy-F16.patch
@ -32212,7 +32212,7 @@ index 8581040..2367841 100644
 	allow $1 nagios_t:process { ptrace signal_perms };
 diff --git a/policy/modules/services/nagios.te b/policy/modules/services/nagios.te
-index bf64a4c..f1eff62 100644
+index bf64a4c..8a9789c 100644
 --- a/policy/modules/services/nagios.te
 +++ b/policy/modules/services/nagios.te
@@ -79,6 +79,7 @@ files_spool_filetrans(nagios_t, nagios_spool_t, fifo_file)
@ -32284,7 +32284,15 @@ index bf64a4c..f1eff62 100644
 dev_read_sysfs(nrpe_t)
 dev_read_urand(nrpe_t)
-@@ -270,12 +273,10 @@ files_getattr_all_file_type_fs(nagios_admin_plugin_t)
+@@ -211,6 +214,7 @@ domain_read_all_domains_state(nrpe_t)
 files_read_etc_runtime_files(nrpe_t)
 files_read_etc_files(nrpe_t)
 +files_read_usr_files(nrpe_t)
 fs_getattr_all_fs(nrpe_t)
 fs_search_auto_mountpoints(nrpe_t)
@@ -270,12 +274,10 @@ files_getattr_all_file_type_fs(nagios_admin_plugin_t)
 #
 allow nagios_mail_plugin_t self:capability { setuid setgid dac_override };
@ -32297,7 +32305,7 @@ index bf64a4c..f1eff62 100644
 kernel_read_kernel_sysctls(nagios_mail_plugin_t)
 corecmd_read_bin_files(nagios_mail_plugin_t)
-@@ -299,7 +300,7 @@ optional_policy(`
+@@ -299,7 +301,7 @@ optional_policy(`
 optional_policy(`
 	postfix_stream_connect_master(nagios_mail_plugin_t)
@ -32306,7 +32314,7 @@ index bf64a4c..f1eff62 100644
 ')
 ######################################
-@@ -310,6 +311,9 @@ optional_policy(`
+@@ -310,6 +312,9 @@ optional_policy(`
 # needed by ioctl()
 allow nagios_checkdisk_plugin_t self:capability { sys_admin sys_rawio };
@ -32316,7 +32324,7 @@ index bf64a4c..f1eff62 100644
 files_read_etc_runtime_files(nagios_checkdisk_plugin_t)
 fs_getattr_all_fs(nagios_checkdisk_plugin_t)
-@@ -323,7 +327,6 @@ storage_raw_read_fixed_disk(nagios_checkdisk_plugin_t)
+@@ -323,7 +328,6 @@ storage_raw_read_fixed_disk(nagios_checkdisk_plugin_t)
 allow nagios_services_plugin_t self:capability { net_bind_service net_raw };
 allow nagios_services_plugin_t self:process { signal sigkill };
@ -32324,7 +32332,7 @@ index bf64a4c..f1eff62 100644
 allow nagios_services_plugin_t self:tcp_socket create_stream_socket_perms;
 allow nagios_services_plugin_t self:udp_socket create_socket_perms;
-@@ -340,6 +343,8 @@ files_read_usr_files(nagios_services_plugin_t)
+@@ -340,6 +344,8 @@ files_read_usr_files(nagios_services_plugin_t)
 optional_policy(`
 	netutils_domtrans_ping(nagios_services_plugin_t)
@ -32333,7 +32341,7 @@ index bf64a4c..f1eff62 100644
 ')
 optional_policy(`
-@@ -363,7 +368,6 @@ manage_files_pattern(nagios_system_plugin_t, nagios_system_plugin_tmp_t, nagios_
+@@ -363,7 +369,6 @@ manage_files_pattern(nagios_system_plugin_t, nagios_system_plugin_tmp_t, nagios_
 manage_dirs_pattern(nagios_system_plugin_t, nagios_system_plugin_tmp_t, nagios_system_plugin_tmp_t)
 files_tmp_filetrans(nagios_system_plugin_t, nagios_system_plugin_tmp_t, { dir file })
@ -40048,7 +40056,7 @@ index 82cb169..9e72970 100644
 +	admin_pattern($1, samba_unconfined_script_exec_t)
 ')
 diff --git a/policy/modules/services/samba.te b/policy/modules/services/samba.te
-index e30bb63..2c24007 100644
+index e30bb63..941f823 100644
 --- a/policy/modules/services/samba.te
 +++ b/policy/modules/services/samba.te
@@ -152,9 +152,6 @@ domain_entry_file(winbind_helper_t, winbind_helper_exec_t)
@ -40082,7 +40090,7 @@ index e30bb63..2c24007 100644
 # smbd Local policy
 #
 -allow smbd_t self:capability { chown fowner setgid setuid sys_nice sys_resource lease dac_override dac_read_search };
-+allow smbd_t self:capability { chown fowner kill setgid setuid sys_nice sys_admin sys_resource lease dac_override dac_read_search };
+allow smbd_t self:capability { chown fowner kill setgid setuid sys_chroot sys_nice sys_admin sys_resource lease dac_override dac_read_search };
 dontaudit smbd_t self:capability sys_tty_config;
 allow smbd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
 allow smbd_t self:process setrlimit;
@ -41756,7 +41764,7 @@ index 078bcd7..2d60774 100644
 +/root/\.ssh(/.*)?			gen_context(system_u:object_r:ssh_home_t,s0)
 +/root/\.shosts				gen_context(system_u:object_r:ssh_home_t,s0)
 diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if
-index 22adaca..80b2f2e 100644
+index 22adaca..68ad7a7 100644
 --- a/policy/modules/services/ssh.if
 +++ b/policy/modules/services/ssh.if
@@ -32,10 +32,10 @@
@ -41958,7 +41966,7 @@ index 22adaca..80b2f2e 100644
 	libs_read_lib_files($1_ssh_agent_t)
-@@ -393,14 +408,11 @@ template(`ssh_role_template',`
+@@ -393,14 +408,13 @@ template(`ssh_role_template',`
 	seutil_dontaudit_read_config($1_ssh_agent_t)
 	# Write to the user domain tty.
@ -41971,10 +41979,12 @@ index 22adaca..80b2f2e 100644
 -	allow $3 $1_ssh_agent_t:fd use;
 -	allow $3 $1_ssh_agent_t:fifo_file rw_file_perms;
 -	allow $3 $1_ssh_agent_t:process sigchld;
 +
 +	ssh_run_keygen($3,$2)
 	tunable_policy(`use_nfs_home_dirs',`
 		fs_manage_nfs_files($1_ssh_agent_t)
-@@ -477,8 +489,9 @@ interface(`ssh_read_pipes',`
+@@ -477,8 +491,9 @@ interface(`ssh_read_pipes',`
 		type sshd_t;
 	')
@ -41985,7 +41995,7 @@ index 22adaca..80b2f2e 100644
 ########################################
 ## <summary>
 ##	Read and write a ssh server unnamed pipe.
-@@ -494,7 +507,7 @@ interface(`ssh_rw_pipes',`
+@@ -494,7 +509,7 @@ interface(`ssh_rw_pipes',`
 		type sshd_t;
 	')
@ -41994,7 +42004,7 @@ index 22adaca..80b2f2e 100644
 ')
 ########################################
-@@ -586,6 +599,24 @@ interface(`ssh_domtrans',`
+@@ -586,6 +601,24 @@ interface(`ssh_domtrans',`
 ########################################
 ## <summary>
@ -42019,7 +42029,7 @@ index 22adaca..80b2f2e 100644
 ##	Execute the ssh client in the caller domain.
 ## </summary>
 ## <param name="domain">
-@@ -618,7 +649,7 @@ interface(`ssh_setattr_key_files',`
+@@ -618,7 +651,7 @@ interface(`ssh_setattr_key_files',`
 		type sshd_key_t;
 	')
@ -42028,7 +42038,7 @@ index 22adaca..80b2f2e 100644
 	files_search_pids($1)
 ')
-@@ -680,6 +711,32 @@ interface(`ssh_domtrans_keygen',`
+@@ -680,6 +713,32 @@ interface(`ssh_domtrans_keygen',`
 	domtrans_pattern($1, ssh_keygen_exec_t, ssh_keygen_t)
 ')
@ -42061,7 +42071,7 @@ index 22adaca..80b2f2e 100644
 ########################################
 ## <summary>
 ##	Read ssh server keys
-@@ -695,7 +752,7 @@ interface(`ssh_dontaudit_read_server_keys',`
+@@ -695,7 +754,7 @@ interface(`ssh_dontaudit_read_server_keys',`
 		type sshd_key_t;
 	')
@ -42070,7 +42080,7 @@ index 22adaca..80b2f2e 100644
 ')
 ######################################
-@@ -735,3 +792,21 @@ interface(`ssh_delete_tmp',`
+@@ -735,3 +794,21 @@ interface(`ssh_delete_tmp',`
 	files_search_tmp($1)
 	delete_files_pattern($1, sshd_tmp_t, sshd_tmp_t)
 ')
@ -42093,7 +42103,7 @@ index 22adaca..80b2f2e 100644
 +	allow $1 sshd_t:process signull;
 +')
 diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
-index 2dad3c8..7f14c83 100644
+index 2dad3c8..594aa01 100644
 --- a/policy/modules/services/ssh.te
 +++ b/policy/modules/services/ssh.te
@@ -6,26 +6,32 @@ policy_module(ssh, 2.2.0)
@ -42422,7 +42432,7 @@ index 2dad3c8..7f14c83 100644
 ') dnl endif TODO
 ########################################
-@@ -322,14 +369,18 @@ tunable_policy(`ssh_sysadm_login',`
+@@ -322,14 +369,19 @@ tunable_policy(`ssh_sysadm_login',`
 # ssh_keygen_t is the type of the ssh-keygen program when run at install time
 # and by sysadm_t
@ -42438,11 +42448,12 @@ index 2dad3c8..7f14c83 100644
 +manage_dirs_pattern(ssh_keygen_t, ssh_home_t, ssh_home_t)
 +manage_files_pattern(ssh_keygen_t, ssh_home_t, ssh_home_t)
 +userdom_admin_home_dir_filetrans(ssh_keygen_t, ssh_home_t, dir)
 +userdom_user_home_dir_filetrans(ssh_keygen_t, ssh_home_t, dir)
 +
 kernel_read_kernel_sysctls(ssh_keygen_t)
 fs_search_auto_mountpoints(ssh_keygen_t)
-@@ -353,7 +404,7 @@ logging_send_syslog_msg(ssh_keygen_t)
+@@ -353,7 +405,7 @@ logging_send_syslog_msg(ssh_keygen_t)
 userdom_dontaudit_use_unpriv_user_fds(ssh_keygen_t)
 optional_policy(`
@ -49359,7 +49370,7 @@ index cc83689..3388f34 100644
 +')
 +
 diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index ea29513..55561ae 100644
+index ea29513..819a8d5 100644
 --- a/policy/modules/system/init.te
 +++ b/policy/modules/system/init.te
@@ -16,6 +16,34 @@ gen_require(`
@ -50078,7 +50089,15 @@ index ea29513..55561ae 100644
 optional_policy(`
 	ssh_dontaudit_read_server_keys(initrc_t)
-@@ -810,11 +1103,19 @@ optional_policy(`
+@@ -800,7 +1093,6 @@ optional_policy(`
 ')
 optional_policy(`
 -	udev_rw_db(initrc_t)
 	udev_manage_pid_files(initrc_t)
 	udev_manage_rules_files(initrc_t)
 ')
@@ -810,11 +1102,19 @@ optional_policy(`
 ')
 optional_policy(`
@ -50099,7 +50118,7 @@ index ea29513..55561ae 100644
 	ifdef(`distro_redhat',`
 		# system-config-services causes avc messages that should be dontaudited
-@@ -824,6 +1125,25 @@ optional_policy(`
+@@ -824,6 +1124,25 @@ optional_policy(`
 	optional_policy(`
 		mono_domtrans(initrc_t)
 	')
@ -50125,7 +50144,7 @@ index ea29513..55561ae 100644
 ')
 optional_policy(`
-@@ -849,3 +1169,42 @@ optional_policy(`
+@@ -849,3 +1168,42 @@ optional_policy(`
 optional_policy(`
 	zebra_read_config(initrc_t)
 ')
@ -53434,7 +53453,7 @@ index 170e2c7..0aa893a 100644
 +')
 +')
 diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
-index 7ed9819..1d43b4b 100644
+index 7ed9819..5ae4038 100644
 --- a/policy/modules/system/selinuxutil.te
 +++ b/policy/modules/system/selinuxutil.te
@@ -22,6 +22,9 @@ attribute can_relabelto_binary_policy;
@ -53617,7 +53636,7 @@ index 7ed9819..1d43b4b 100644
 ifdef(`distro_ubuntu',`
 	optional_policy(`
 		unconfined_domain(restorecond_t)
-@@ -353,7 +382,7 @@ optional_policy(`
+@@ -353,16 +382,19 @@ optional_policy(`
 allow run_init_t self:process setexec;
 allow run_init_t self:capability setuid;
 allow run_init_t self:fifo_file rw_file_perms;
@ -53626,7 +53645,11 @@ index 7ed9819..1d43b4b 100644
 # often the administrator runs such programs from a directory that is owned
 # by a different user or has restrictive SE permissions, do not want to audit
-@@ -363,6 +392,7 @@ dontaudit run_init_t self:capability { dac_override dac_read_search };
+ # the failed access to the current directory
 dontaudit run_init_t self:capability { dac_override dac_read_search };
 +kernel_dontaudit_getattr_core_if(run_init_t)
 +
 corecmd_exec_bin(run_init_t)
 corecmd_exec_shell(run_init_t)
@ -53634,7 +53657,7 @@ index 7ed9819..1d43b4b 100644
 dev_dontaudit_list_all_dev_nodes(run_init_t)
 domain_use_interactive_fds(run_init_t)
-@@ -380,6 +410,8 @@ selinux_compute_create_context(run_init_t)
+@@ -380,6 +412,8 @@ selinux_compute_create_context(run_init_t)
 selinux_compute_relabel_context(run_init_t)
 selinux_compute_user_contexts(run_init_t)
@ -53643,7 +53666,15 @@ index 7ed9819..1d43b4b 100644
 auth_use_nsswitch(run_init_t)
 auth_domtrans_chk_passwd(run_init_t)
 auth_domtrans_upd_passwd(run_init_t)
-@@ -396,7 +428,7 @@ miscfiles_read_localization(run_init_t)
+@@ -388,6 +422,7 @@ auth_dontaudit_read_shadow(run_init_t)
 init_spec_domtrans_script(run_init_t)
 # for utmp
 init_rw_utmp(run_init_t)
 +init_dontaudit_getattr_initctl(run_init_t)
 logging_send_syslog_msg(run_init_t)
@@ -396,7 +431,7 @@ miscfiles_read_localization(run_init_t)
 seutil_libselinux_linked(run_init_t)
 seutil_read_default_contexts(run_init_t)
@ -53652,7 +53683,7 @@ index 7ed9819..1d43b4b 100644
 ifndef(`direct_sysadm_daemon',`
 	ifdef(`distro_gentoo',`
-@@ -405,6 +437,15 @@ ifndef(`direct_sysadm_daemon',`
+@@ -405,6 +440,19 @@ ifndef(`direct_sysadm_daemon',`
 	')
 ')
@ -53662,13 +53693,17 @@ index 7ed9819..1d43b4b 100644
 +')
 +
 +optional_policy(`
 +	gpm_dontaudit_getattr_gpmctl(run_init_t)
 +')
 +
 +optional_policy(`
 +	rpm_domtrans(run_init_t)
 +')
 +
 ifdef(`distro_ubuntu',`
 	optional_policy(`
 		unconfined_domain(run_init_t)
-@@ -420,61 +461,22 @@ optional_policy(`
+@@ -420,61 +468,22 @@ optional_policy(`
 # semodule local policy
 #
@ -53678,22 +53713,22 @@ index 7ed9819..1d43b4b 100644
 -allow semanage_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
 -
 -allow semanage_t policy_config_t:file rw_file_perms;
-
+seutil_semanage_policy(semanage_t)
 +allow semanage_t self:fifo_file rw_fifo_file_perms;
 -allow semanage_t semanage_tmp_t:dir manage_dir_perms;
 -allow semanage_t semanage_tmp_t:file manage_file_perms;
 -files_tmp_filetrans(semanage_t, semanage_tmp_t, { file dir })
-
+manage_dirs_pattern(semanage_t, selinux_var_lib_t,  selinux_var_lib_t)
 +manage_files_pattern(semanage_t, selinux_var_lib_t,  selinux_var_lib_t)
 -kernel_read_system_state(semanage_t)
 -kernel_read_kernel_sysctls(semanage_t)
 -
 -corecmd_exec_bin(semanage_t)
-+seutil_semanage_policy(semanage_t)
+-
 +allow semanage_t self:fifo_file rw_fifo_file_perms;
 -dev_read_urand(semanage_t)
-+manage_dirs_pattern(semanage_t, selinux_var_lib_t,  selinux_var_lib_t)
+-
 +manage_files_pattern(semanage_t, selinux_var_lib_t,  selinux_var_lib_t)
 -domain_use_interactive_fds(semanage_t)
 -
 -files_read_etc_files(semanage_t)
@ -53715,13 +53750,13 @@ index 7ed9819..1d43b4b 100644
 -
 -# Running genhomedircon requires this for finding all users
 -auth_use_nsswitch(semanage_t)
-+# Admins are creating pp files in random locations
+-
 +auth_read_all_files_except_shadow(semanage_t)
 -locallogin_use_fds(semanage_t)
 -
 -logging_send_syslog_msg(semanage_t)
-
+# Admins are creating pp files in random locations
 +auth_read_all_files_except_shadow(semanage_t)
 -miscfiles_read_localization(semanage_t)
 -
 -seutil_libselinux_linked(semanage_t)
@ -53738,7 +53773,7 @@ index 7ed9819..1d43b4b 100644
 # netfilter_contexts:
 seutil_manage_default_contexts(semanage_t)
-@@ -487,118 +489,69 @@ ifdef(`distro_debian',`
+@@ -487,118 +496,69 @@ ifdef(`distro_debian',`
 	files_read_var_lib_symlinks(semanage_t)
 ')
@ -53787,19 +53822,13 @@ index 7ed9819..1d43b4b 100644
 -
 -domain_use_interactive_fds(setfiles_t)
 -domain_dontaudit_search_all_domains_state(setfiles_t)
-+init_dontaudit_use_fds(setsebool_t)
+-
 -files_read_etc_runtime_files(setfiles_t)
 -files_read_etc_files(setfiles_t)
 -files_list_all(setfiles_t)
 -files_relabel_all_files(setfiles_t)
 -files_read_usr_symlinks(setfiles_t)
-+# Bug in semanage
+-
 +seutil_domtrans_setfiles(setsebool_t)
 +seutil_manage_file_contexts(setsebool_t)
 +seutil_manage_default_contexts(setsebool_t)
 +seutil_manage_config(setsebool_t)
 -fs_getattr_xattr_fs(setfiles_t)
 -fs_list_all(setfiles_t)
 -fs_search_auto_mountpoints(setfiles_t)
@ -53827,9 +53856,15 @@ index 7ed9819..1d43b4b 100644
 -init_use_script_fds(setfiles_t)
 -init_use_script_ptys(setfiles_t)
 -init_exec_script_files(setfiles_t)
-
+init_dontaudit_use_fds(setsebool_t)
 -logging_send_syslog_msg(setfiles_t)
-
+# Bug in semanage
 +seutil_domtrans_setfiles(setsebool_t)
 +seutil_manage_file_contexts(setsebool_t)
 +seutil_manage_default_contexts(setsebool_t)
 +seutil_manage_config(setsebool_t)
 -miscfiles_read_localization(setfiles_t)
 +########################################
 +#
@ -54753,26 +54788,29 @@ index 0000000..1e5b954
 +	readahead_manage_pid_files(systemd_notify_t)
 +')
 diff --git a/policy/modules/system/udev.fc b/policy/modules/system/udev.fc
-index 0291685..ff75c28 100644
+index 0291685..7e94f4b 100644
 --- a/policy/modules/system/udev.fc
 +++ b/policy/modules/system/udev.fc
-@@ -11,6 +11,9 @@
+@@ -1,6 +1,6 @@
 -/dev/\.udev(/.*)? --	gen_context(system_u:object_r:udev_tbl_t,s0)
 -/dev/\.udevdb	--	gen_context(system_u:object_r:udev_tbl_t,s0)
 -/dev/udev\.tbl	--	gen_context(system_u:object_r:udev_tbl_t,s0)
 +/dev/\.udev(/.*)? --	gen_context(system_u:object_r:udev_var_run_t,s0)
 +/dev/\.udevdb	--	gen_context(system_u:object_r:udev_var_run_t,s0)
 +/dev/udev\.tbl	--	gen_context(system_u:object_r:udev_var_run_t,s0)
- /lib/udev/udev-acl --	gen_context(system_u:object_r:udev_exec_t,s0)
+ /etc/dev\.d/.+	--	gen_context(system_u:object_r:udev_helper_exec_t,s0)
@@ -21,4 +21,6 @@
 +/run/udev(/.*)? --    gen_context(system_u:object_r:udev_tbl_t,s0)
 +/run/\.udev(/.*)? --	gen_context(system_u:object_r:udev_tbl_t,s0)
 +
 /sbin/start_udev --	gen_context(system_u:object_r:udev_exec_t,s0)
 /sbin/udev	--	gen_context(system_u:object_r:udev_exec_t,s0)
 /sbin/udevadm	--	gen_context(system_u:object_r:udev_exec_t,s0)
@@ -22,3 +25,4 @@
 /usr/bin/udevinfo --	gen_context(system_u:object_r:udev_exec_t,s0)
- /var/run/PackageKit/udev(/.*)? gen_context(system_u:object_r:udev_var_run_t,s0)
+-/var/run/PackageKit/udev(/.*)? gen_context(system_u:object_r:udev_var_run_t,s0)
 +/var/run/PackageKit/udev(/.*)?	gen_context(system_u:object_r:udev_var_run_t,s0)
 +/var/run/libgpod(/.*)?	        gen_context(system_u:object_r:udev_var_run_t,s0)    
 +/var/run/udev(/.*)?		gen_context(system_u:object_r:udev_var_run_t,s0)
 diff --git a/policy/modules/system/udev.if b/policy/modules/system/udev.if
-index 025348a..8b50d5f 100644
+index 025348a..4e2ca03 100644
 --- a/policy/modules/system/udev.if
 +++ b/policy/modules/system/udev.if
@@ -34,6 +34,7 @@ interface(`udev_domtrans',`
@ -54793,26 +54831,29 @@ index 025348a..8b50d5f 100644
 ')
 ########################################
-@@ -185,12 +185,14 @@ interface(`udev_dontaudit_search_db',`
+@@ -160,10 +160,10 @@ interface(`udev_manage_rules_files',`
- interface(`udev_read_db',`
+ #
 interface(`udev_dontaudit_search_db',`
 	gen_require(`
- 		type udev_tbl_t;
+-		type udev_tbl_t;
-+		type device_t;
+		type udev_var_run_t;
 	')
- 	dev_list_all_dev_nodes($1)
+-	dontaudit $1 udev_tbl_t:dir search_dir_perms;
- 	allow $1 udev_tbl_t:dir list_dir_perms;
+	dontaudit $1 udev_var_run_t:dir search_dir_perms;
 	read_files_pattern($1, udev_tbl_t, udev_tbl_t)
 	read_lnk_files_pattern($1, udev_tbl_t, udev_tbl_t)
 +	allow $1 device_t:file read_file_perms;
 ')
 ########################################
-@@ -214,6 +216,24 @@ interface(`udev_rw_db',`
+@@ -183,19 +183,32 @@ interface(`udev_dontaudit_search_db',`
- 
+ ## <infoflow type="read" weight="10"/>
- ########################################
+ #
- ## <summary>
+ interface(`udev_read_db',`
-+##	Allow process to modify relabelto udev database
+	udev_read_pid_files($1)
 +')
 +
 +########################################
 +## <summary>
 +##	Allow process to modify list of devices.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
@ -54820,21 +54861,73 @@ index 025348a..8b50d5f 100644
 +##	</summary>
 +## </param>
 +#
 +interface(`udev_rw_db',`
 	gen_require(`
 -		type udev_tbl_t;
 +		type udev_var_run_t;
 	')
 +	files_search_pids($1)
 	dev_list_all_dev_nodes($1)
 -	allow $1 udev_tbl_t:dir list_dir_perms;
 -	read_files_pattern($1, udev_tbl_t, udev_tbl_t)
 -	read_lnk_files_pattern($1, udev_tbl_t, udev_tbl_t)
 +	rw_files_pattern($1, udev_var_run_t, udev_var_run_t)
 ')
 ########################################
 ## <summary>
 -##	Allow process to modify list of devices.
 +##	Allow process to modify relabelto udev database
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -203,13 +216,36 @@ interface(`udev_read_db',`
 ##	</summary>
 ## </param>
 #
 -interface(`udev_rw_db',`
 +interface(`udev_relabelto_db',`
 +	gen_require(`
-+		type udev_tbl_t;
+		type udev_var_run_t;
 +	')
 +
-+	allow $1 udev_tbl_t:file relabelto_file_perms;
+	files_search_pids($1)
 +	allow $1 udev_var_run_t:file relabelto_file_perms;
 +')
 +
 +########################################
 +## <summary>
- ##	Create, read, write, and delete
+##	Create, read, write, and delete
- ##	udev pid files.
+##	udev pid files.
- ## </summary>
+## </summary>
-@@ -231,3 +251,62 @@ interface(`udev_manage_pid_files',`
+## <param name="domain">
- 	files_search_var_lib($1)
+##	<summary>
 +##	Domain allowed access.
 +##	</summary>
 +## </param>
 +#
 +interface(`udev_read_pid_files',`
 	gen_require(`
 -		type udev_tbl_t;
 +		type udev_var_run_t;
 	')
 	dev_list_all_dev_nodes($1)
 -	allow $1 udev_tbl_t:file rw_file_perms;
 +	files_search_pids($1)
 +	allow $1 udev_var_run_t:dir list_dir_perms;
 +	read_files_pattern($1, udev_var_run_t, udev_var_run_t)
 +	read_lnk_files_pattern($1, udev_var_run_t, udev_var_run_t)
 ')
 ########################################
@@ -228,6 +264,65 @@ interface(`udev_manage_pid_files',`
 		type udev_var_run_t;
 	')
 -	files_search_var_lib($1)
 +	files_search_pids($1)
 	manage_files_pattern($1, udev_var_run_t, udev_var_run_t)
 ')
 +
@ -54897,10 +54990,10 @@ index 025348a..8b50d5f 100644
 +')
 +
 diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
-index d88f7c3..1cadaa2 100644
+index d88f7c3..b18dc17 100644
 --- a/policy/modules/system/udev.te
 +++ b/policy/modules/system/udev.te
-@@ -14,6 +14,8 @@ domain_entry_file(udev_t, udev_helper_exec_t)
+@@ -14,17 +14,17 @@ domain_entry_file(udev_t, udev_helper_exec_t)
 domain_interactive_fd(udev_t)
 init_daemon_domain(udev_t, udev_exec_t)
@ -54909,7 +55002,19 @@ index d88f7c3..1cadaa2 100644
 type udev_etc_t alias etc_udev_t;
 files_config_file(udev_etc_t)
-@@ -38,6 +40,12 @@ ifdef(`enable_mcs',`
+-type udev_tbl_t alias udev_tdb_t;
 -files_type(udev_tbl_t)
 -
 type udev_rules_t;
 files_type(udev_rules_t)
 type udev_var_run_t;
 files_pid_file(udev_var_run_t)
 +typealias udev_var_run_t alias udev_tbl_t;
 ifdef(`enable_mcs',`
 	kernel_ranged_domtrans_to(udev_t, udev_exec_t, s0 - mcs_systemhigh)
@@ -38,6 +38,12 @@ ifdef(`enable_mcs',`
 allow udev_t self:capability { chown dac_override dac_read_search fowner fsetid sys_admin mknod net_raw net_admin sys_nice sys_rawio sys_resource setuid setgid sys_nice sys_ptrace };
 dontaudit udev_t self:capability sys_tty_config;
@ -54922,7 +55027,7 @@ index d88f7c3..1cadaa2 100644
 allow udev_t self:process ~{ setcurrent setexec setfscreate setrlimit execmem execstack execheap };
 allow udev_t self:process { execmem setfscreate };
 allow udev_t self:fd use;
-@@ -52,6 +60,7 @@ allow udev_t self:unix_dgram_socket sendto;
+@@ -52,6 +58,7 @@ allow udev_t self:unix_dgram_socket sendto;
 allow udev_t self:unix_stream_socket connectto;
 allow udev_t self:netlink_kobject_uevent_socket create_socket_perms;
 allow udev_t self:rawip_socket create_socket_perms;
@ -54930,27 +55035,29 @@ index d88f7c3..1cadaa2 100644
 allow udev_t udev_exec_t:file write;
 can_exec(udev_t, udev_exec_t)
-@@ -64,7 +73,8 @@ allow udev_t udev_etc_t:file read_file_perms;
+@@ -62,17 +69,16 @@ can_exec(udev_t, udev_helper_exec_t)
 # read udev config
 allow udev_t udev_etc_t:file read_file_perms;
- # create udev database in /dev/.udevdb
+-# create udev database in /dev/.udevdb
- allow udev_t udev_tbl_t:file manage_file_perms;
+-allow udev_t udev_tbl_t:file manage_file_perms;
 -dev_filetrans(udev_t, udev_tbl_t, file)
-+allow udev_t udev_tbl_t:lnk_file manage_file_perms;
+-
 +dev_filetrans(udev_t, udev_tbl_t, { file lnk_file } )
 list_dirs_pattern(udev_t, udev_rules_t, udev_rules_t)
 read_files_pattern(udev_t, udev_rules_t, udev_rules_t)
-@@ -72,7 +82,8 @@ read_files_pattern(udev_t, udev_rules_t, udev_rules_t)
+ 
 manage_dirs_pattern(udev_t, udev_var_run_t, udev_var_run_t)
 manage_files_pattern(udev_t, udev_var_run_t, udev_var_run_t)
 manage_lnk_files_pattern(udev_t, udev_var_run_t, udev_var_run_t)
 -files_pid_filetrans(udev_t, udev_var_run_t, { dir file })
 +files_pid_filetrans(udev_t, udev_var_run_t, { file dir })
 +allow udev_t udev_var_run_t:file mounton;
 +dev_filetrans(udev_t, udev_var_run_t, { file lnk_file } )
 +
 kernel_read_system_state(udev_t)
 kernel_request_load_module(udev_t)
-@@ -87,6 +98,7 @@ kernel_rw_unix_dgram_sockets(udev_t)
+@@ -87,6 +93,7 @@ kernel_rw_unix_dgram_sockets(udev_t)
 kernel_dgram_send(udev_t)
 kernel_signal(udev_t)
 kernel_search_debugfs(udev_t)
@ -54958,7 +55065,7 @@ index d88f7c3..1cadaa2 100644
 #https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=235182
 kernel_rw_net_sysctls(udev_t)
-@@ -111,15 +123,20 @@ domain_dontaudit_ptrace_all_domains(udev_t) #pidof triggers these
+@@ -111,15 +118,20 @@ domain_dontaudit_ptrace_all_domains(udev_t) #pidof triggers these
 files_read_usr_files(udev_t)
 files_read_etc_runtime_files(udev_t)
@ -54980,7 +55087,7 @@ index d88f7c3..1cadaa2 100644
 mcs_ptrace_all(udev_t)
-@@ -143,6 +160,7 @@ auth_use_nsswitch(udev_t)
+@@ -143,6 +155,7 @@ auth_use_nsswitch(udev_t)
 init_read_utmp(udev_t)
 init_dontaudit_write_utmp(udev_t)
 init_getattr_initctl(udev_t)
@ -54988,7 +55095,7 @@ index d88f7c3..1cadaa2 100644
 logging_search_logs(udev_t)
 logging_send_syslog_msg(udev_t)
-@@ -186,15 +204,16 @@ ifdef(`distro_redhat',`
+@@ -186,15 +199,16 @@ ifdef(`distro_redhat',`
 	fs_manage_tmpfs_chr_files(udev_t)
 	fs_relabel_tmpfs_blk_file(udev_t)
 	fs_relabel_tmpfs_chr_file(udev_t)
@ -55008,7 +55115,7 @@ index d88f7c3..1cadaa2 100644
 ')
 optional_policy(`
-@@ -216,11 +235,16 @@ optional_policy(`
+@@ -216,11 +230,16 @@ optional_policy(`
 ')
 optional_policy(`
@ -55025,7 +55132,7 @@ index d88f7c3..1cadaa2 100644
 ')
 optional_policy(`
-@@ -233,6 +257,10 @@ optional_policy(`
+@@ -233,6 +252,10 @@ optional_policy(`
 ')
 optional_policy(`
@ -55036,7 +55143,7 @@ index d88f7c3..1cadaa2 100644
 	lvm_domtrans(udev_t)
 ')
-@@ -259,6 +287,10 @@ optional_policy(`
+@@ -259,6 +282,10 @@ optional_policy(`
 ')
 optional_policy(`
@ -55047,7 +55154,7 @@ index d88f7c3..1cadaa2 100644
 	openct_read_pid_files(udev_t)
 	openct_domtrans(udev_t)
 ')
-@@ -273,6 +305,11 @@ optional_policy(`
+@@ -273,6 +300,11 @@ optional_policy(`
 ')
 optional_policy(`
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -21,7 +21,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.9.16
-Release: 10%{?dist}
+Release: 11%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@ -475,6 +475,10 @@ exit 0
 %endif
 %changelog
 * Mon Apr 4 2011 Miroslav Grepl <mgrepl@redhat.com> 3.9.16-11
 - Fix label for /var/run/udev to udev_var_run_t
 - Mock needs to be able to read network state
 * Fri Apr 1 2011 Miroslav Grepl <mgrepl@redhat.com> 3.9.16-10
 - Add file_contexts.subs to handle /run and /run/lock
 - Add other fixes relating to /run changes from F15 policy